Changeset 4139 for trunk/comments.php

Timestamp:

Oct 28, 2009, 9:34:29 PM (15 years ago)

Author:

nikrou

Message:

bug 1220 : fix XSS vulnerability.
filter on since parameter (is_numeric)
use only htmlspecialchars to filter vars to display
revert rev:3600 add left join on users table

Todo : use only left join on users table when a search by author is made

File:

• trunk/comments.php (modified) (6 diffs)

trunk/comments.php

@@ -61 +61 @@
   );
 
-$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
+if (!empty($_GET['since']) && is_numeric($_GET['since']))
+{
+  $page['since'] = $_GET['since'];
+}
+else
+{
+  $page['since'] = 4;
+}
 
 // on which field sorting
@@ -103 +110 @@
 
 // search a particular author
-if (isset($_GET['author']) and !empty($_GET['author']))
+if (!empty($_GET['author']))
 {
   $page['where_clauses'][] =
@@ -111 +118 @@
 
 // search a substring among comments content
-if (isset($_GET['keyword']) and !empty($_GET['keyword']))
+if (!empty($_GET['keyword']))
 {
   $page['where_clauses'][] =
@@ -198 +205 @@
   array(
     'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
-    'F_KEYWORD'=>@htmlspecialchars(stripslashes($_GET['keyword'])),
-    'F_AUTHOR'=>@htmlspecialchars(stripslashes($_GET['author'])),
+    'F_KEYWORD'=> @htmlspecialchars($_GET['keyword'], ENT_QUOTES, 'utf-8'),
+    'F_AUTHOR'=> @htmlspecialchars($_GET['author'], ENT_QUOTES, 'utf-8'),
     )
   );
@@ -270 +277 @@
 SELECT COUNT(DISTINCT(com.id))
   FROM '.IMAGE_CATEGORY_TABLE.' AS ic
-    INNER JOIN '.COMMENTS_TABLE.' AS com
+    INNER JOIN '.COMMENTS_TABLE.' AS com    
     ON ic.image_id = com.image_id
+    LEFT JOIN '.USERS_TABLE.' As u
+    ON u.'.$conf['user_fields']['id'].' = com.author_id
   WHERE '.implode('
     AND ', $page['where_clauses']).'
@@ -309 +318 @@
     INNER JOIN '.COMMENTS_TABLE.' AS com
     ON ic.image_id = com.image_id
+    LEFT JOIN '.USERS_TABLE.' As u
+    ON u.'.$conf['user_fields']['id'].' = com.author_id
   WHERE '.implode('
     AND ', $page['where_clauses']).'